> > Why on earth does so much of the default desktops depend on polkit > > when very little breaks when it is disabled! > > > > Because "very little" is not "nothing at all."
But 99% of the code would work just fine without it and does if you remove it's suid. On Fri, 05 Apr 2013 15:39:30 -0400 Phillip Susi <ps...@ubuntu.com> wrote: > > I have decided that sudo is superior to polkit in every way for > > both developers and user except for if developers want to be lazy > > and outsource policy creation to more general and so less specific > > and so obviously likely less secure ones. I do not wish to debate > > that and all debates I have seen have simply shown a lack of > > understanding of what sudo can do. > > One is not "better" than the other as sudo and PolicyKit do two > completely different things. sudo is a command used to run other > commands as root. PolicyKit allows services that ( typically, but not > necessarily ) are already running as root to accept requests to > perform actions via DBUS in a restricted way. If you really wanted to do that you would find the likes of Selinux, RBAC, TOMOYO and apparmor more effective, useful to a user and less of a risk, however they do not save you from writing bad code and sudo encourages the best of that in a nice priviledge seperated utility. If it was the case that polkit just did that then sudo would still be my choice as it is not always running, is filesystem based and as Android realises (we'll ignore their dbus security problems) the program dev is the only one who can truly minimise priviledges (though I wish Android would let you override them, perhaps ubuntu-mobile will) but it wouldn't be a big problem and we wouldn't have all these dependency issues and when reducing the number of root programs such as rsyslogas it's own user, you could decide whether or not to run polkit with no restrictions. Let's analyse the situation due to polkit doing two things and primarily it's secondary task rather than one thing and doing it well as per the unix philosophy. The man page says it does as you have said, though I have seen very little of that, thankfully as it is wrong inmy book) and it also handles policies granting priviledges. Ignoring the positives of sudo and bearing in mind sudo makes no stipulations upon users systems, uses zero resources (reports of Gentoo systems without polkit being quicker) and is easy to configure even from a console, lets look at just the dependency negatives of polkit (this post is already too long) which I am convinced was developed by red hat to fit in with pam and because they seemingly have little idea about sudos abilities and group permissions, unlike debian who always used them fairly well. Let's not forget that pam has not a got a great security record either. nvidia-settings wants to install an xorg.conf file. An Nvidia user could easily have this ability via sudo and a sudoers policy could be provided in two seconds. Maybe a user like me doesn't even care and just wants to create a config and install it himself even or just change the brightness upon login from an rc script. This requires no extra priviledges. What are his choices run polkit with all the defaults which is far more permissions and code running as root than he needs. Look into locking it down, yet it is still pointlessly running as root and notoriously annoying to configure not to mention pointlessly pulling in things like the JS package which aids rop attacks. Disable it's suid and if he knows how, redirect all the setuid not correct logs to null. Or the best option for the average user with any ability at all. Remove polkit. I decided to make my Ubuntu gaming machine leaner for Steam recently and I was appauled how bad the situation needlessly is. The whole of KDE out the window, when 99% of it has nothing to do with polkit, no problem, I was aiming for leaner anyway. Udisks, no problem, having to use usbmount or some udev rules to run the beautifully unix like mount program is a stupid problem to have but again, I can live with it and I do anyway for systems I wish to secure. nvidia-settings gone, how annoying. Install from nvidia.com, still without polkit and I have 100% of it's functionality back. I just have to update it manually. Pulseaudio gone. Ok I can use AlSA, pulseaudio doesn't work witha grsecurity kernel anyway and I can finally get around to learning about jackd which is meant to be far better anyway and perhaps apply it to all my systems. Steam-launcher gone as it requires jockey which requires polkit. Ok I install Steam-launcher from steampowered.com. Runs just fine. I am annoyed but glad with my lean machine. BUT, now even though my machine works fine and how I want, I can't update the machine without pulling in polkit for jockey that the steam launcher that I wasn't allowed to install from the repo requires. These types of problems have spawned things like spacefm that I am very impressed with for it's independence, modular nature and user empowerment. All of this could be simply avoided with many benefits if a well designed user facing program like sudo was used in the first place for the single task it was designed to do well. Again I often read things like "I know polkit is superior to sudo but", without justification and I'm almost certain I know all the arguments and it absolutely is inferior, even on a security front. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130406011219.2adab...@kc-sys.chadwicks.me.uk
